CVE-2025-58760

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0

Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The /image API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. Attackers can exfiltrate files, including the tautulli.db SQLite database containing active JWT tokens and the config.ini file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. Successful exploitation could lead to administrative control over the application.

Recommendations: Update to Tautulli version 2.16.0 or later.